• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Guest / Non-Guest Network with Separate DHCP and Firewall Rules?

Scheduled Pinned Locked Moved DHCP and DNS
8 Posts 2 Posters 1.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    fvultee
    last edited by Mar 15, 2019, 9:10 PM

    Strange question here. I have a Router that has both normal and guest network. I have the pfSense configured to hand out IPs via DHCP to authorized MACs. Is there a way to have another subnet for the Guest Wifi that are issued IPs via DHCP that are NOT in the authorized MAC list be given an IP and use their own firewall rules (IE no contact with the MAC authorized devices). I know I can do this with a more powerful system since I've seen it done, but I just have a normal soho mesh wifi system running in AP mode and let the pfSense run the DHCP service.

    1 Reply Last reply Reply Quote 0
    • J
      JKnott
      last edited by Mar 16, 2019, 1:28 AM

      The usual way to have guest WiFi is to use a 2nd SSID and VLAN. Then set up the appropriate rules for the guest network. However, with the DHCP server, you can map authorized devices to specific addresses, which don't overlap the DHCP addresses for other devices. You can try filtering on the separate ranges. For example, have the mapped devices in the lower half of the subnet address range and the other devices in the upper half.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • F
        fvultee
        last edited by Mar 16, 2019, 2:51 PM

        I did exactly that, the issue is that if I only allow certain MACs on my primary LAN and want to assign the Guests to the VLAN I have configured, I don't know their MACs in advance, so I'm not sure how to associate them with the VLAN automatically and have them use the VLAN rules instead.

        1 Reply Last reply Reply Quote 0
        • J
          JKnott
          last edited by Mar 16, 2019, 6:50 PM

          You didn't initially say you had a VLAN. However, why do you have to worry about the MACs? Just given them the SSID & password for the guest Wifi. That way they'll be on the guest VLAN and pfSense should keep them off the local LAN. No need to worry about the MAC as those users are already segregated.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • F
            fvultee
            last edited by fvultee Mar 16, 2019, 7:38 PM Mar 16, 2019, 7:37 PM

            I’m clearly not explaining myself well, but to clarify I don’t have a pfSense install that has its own WiFi support. The pfSense is running the DHCP server to issue IPs to devices that connect to a soho WiFi AP. I am not clear how to have unknown devices grab an IP from the VLAN and the known devices to grab fixed IPs for normal LAN access. Ugh I’m sure it’s easy, just not getting the last step. I’m pretty sure you can’t have 2 DHCP servers on the same subnet so my original config didn’t work correctly.

            1 Reply Last reply Reply Quote 0
            • J
              JKnott
              last edited by Mar 16, 2019, 8:39 PM

              When you create a VLAN, you can also configure the DHCP server to provide addresses to it. The address block must be different from the main LAN. You then configure the AP for the VLAN & 2nd SSID. When guests connect to the guest Wifi, they are connected to the VLAN and get a DHCP address from the VLAN range. I assume the AP supports multiple SSIDs and VLANs.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • F
                fvultee
                last edited by Mar 17, 2019, 1:03 AM

                Nope, my Netgear Orbi mesh WiFi system dos not support VLANs natively, that’s why I’ve been trying to figure out a workaround with the pfSense. I was thinking that I could also just block the guest dhcp IPs from bing able to talk to my other devices by making a block rule but that didn’t work either.

                J 1 Reply Last reply Mar 17, 2019, 1:33 AM Reply Quote 0
                • J
                  JKnott @fvultee
                  last edited by Mar 17, 2019, 1:33 AM

                  @fvultee said in Guest / Non-Guest Network with Separate DHCP and Firewall Rules?:

                  Nope, my Netgear Orbi mesh WiFi system dos not support VLANs natively, that’s why I’ve been trying to figure out a workaround with the pfSense. I was thinking that I could also just block the guest dhcp IPs from bing able to talk to my other devices by making a block rule but that didn’t work either.

                  I just noticed something I missed before:

                  (IE no contact with the MAC authorized devices)

                  PfSense cannot do that, as it has absolutely no effect on traffic between devices on the same subnet. PfSense is a router which means it only affects traffic that passes through it. The only way to prevent guest devices from contacting "authorized" devices is with separate SSID and VLAN.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  1 out of 8
                  • First post
                    1/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received